The EU published a subsidiary regulation to the controversial radio equipment directive in its Official Journal on Wednesday. It is intended to help prevent data breaches in wirelessly networked devices such as smartphones and other portable computer systems. Manufacturers of the device categories covered therein must ensure by August 1, 2024 at the latest that the products meet the safety requirements before they can be placed on the EU market. The regulation can come into force because the Council of Ministers and the EU Parliament had not raised any objections.
The EU Commission proposed amending the Radio Equipment Directive (RED) at the end of October. Article 3 (3) d, e and f The RED stipulates that certain network devices must not have “detrimental effects on the network or its operation” nor cause “misuse of network resources” and they must also guarantee data protection. They must also enable “fraud protection features” such as two-factor authentication.
New device classes
In the new regulation, which takes effect on February 1 and is to be applied after a transitional period of 30 months, the Commission defines new device classes to which these rules apply. These are primarily networked radio systems such as mobile phones, laptops, dongles, alarm systems, cameras and home automation systems. According to the Commission, there is a great risk that these will be hacked and that data protection problems will arise if they are connected to the Internet.
“Smart” toys, for which there are always safety problems, and child care devices such as baby monitors are also covered by the regulation. The requirements also apply to wearables such as smartwatches and fitness trackers, which monitor and register a range of sensitive user data such as location, temperature, blood pressure and heart rate over a longer period of time. Up to now, such sensitive information has also sometimes been transferred via insecure communication technologies for short-range use.
Motor vehicles, electronic toll collection systems, remote control devices for unmanned aerial vehicles such as drones, and non-airborne radio equipment that can be installed on aircraft are exempt from the increased privacy and fraud protection requirements. Special EU rules already apply to them in the area of cyber security.
Medical devices are left out for the same reason. According to the ordinance, implants are generally not considered to be portable radio systems “since they are not worn, strapped or fastened to the body or clothing”. However, the implanted devices are included “if they themselves are able to communicate via the Internet, regardless of whether they connect directly or via another device” with the outside world.
In order to make it easier for small companies to comply with the requirements, the Commission wants to send a standardization request to the responsible European organizations. Harmonized standards should then help to comply with the regulations. As soon as it is established that the specific technical solutions described in these standards comply with the legal requirements, products manufactured in accordance with them should be considered legally compliant. Manufacturers can carry out a corresponding self-assessment or rely on an assessment by an independent testing agency.
Open source is out?
The Commission has also already taken the first steps to subject certain devices to a further clause intended to ensure “that only such software can be loaded for which the conformity of its combination with the radio system has been proven”. According to critics, this means that devices in wireless networks would only be permitted with software authorized by the manufacturer. The result would be a “radio isolation” and the exclusion of the open source and maker scene from the technology.
The Commission has already initiated an impact assessment. It also mentions potential “significant side effects in the form of delays in compliance testing and associated costs”. However, the regulation is not off the table yet.